WCF：尝试使用自签名证书和“PeerTrust”建立双向互信SSL身份验证

Question

WCF：尝试使用自签名证书和“PeerTrust”建立双向互信SSL身份验证

wcfsslcertificate

4

我正在尝试在同一台计算机上设置具有相互SSL身份验证的WCF服务和客户端。

我已经：

为服务器和客户端创建了证书，并将这些证书放置在LocalMachine证书存储中。服务器和客户端的私钥位于“个人”存储中，而公钥位于“受信任的人”存储中。
我已经配置了一个WCF服务和客户端，每个都指定了自己的证书引用，并设置其他方的证书引用以使用

<authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine" />

注意：服务器证书是发给机器名称的，由客户端调用的服务URL是'https：\tokenservice\tokenservice.svc'

通过此配置，我期望客户端能够安全地连接到服务，每一端都会从“受信任的人”存储中解析证书，但我得到了以下错误，表明证书验证失败：

[AuthenticationException: The remote certificate is invalid according to the validation procedure.]

所以这并不像我预期的那样工作。有人能指出任何错误吗？或者我的期望是不正确的吗？

下面是WCF配置：

    <?xml version="1.0"?>
<configuration>
  <system.web>
    <compilation debug="true" targetFramework="4.0" />
  </system.web>
  <system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding name="CertificateForClient">
          <security mode="Transport">
            <transport clientCredentialType="Certificate"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior name="CertificateBehaviour">
          <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
          <serviceMetadata httpGetEnabled="true"/>
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="true"/>
          <serviceCredentials>
            <clientCertificate>
              <authentication certificateValidationMode="PeerTrust"
                              trustedStoreLocation="LocalMachine" />
            </clientCertificate>
            <serviceCertificate findValue="CN='ServerCertificate which is machine name'"
            storeLocation="LocalMachine" storeName="My"
            x509FindType="FindBySubjectDistinguishedName" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <services>
      <service name="TokenService.TokenService" behaviorConfiguration="CertificateBehaviour">
        <endpoint contract="TokenService.ITokenService"
            binding="wsHttpBinding" />
        <endpoint contract="IMetadataExchange"
            binding="mexHttpBinding" address="mex">
        </endpoint>
        <host>
          <baseAddresses>
            <add baseAddress="https://tokenservice" />
          </baseAddresses>
        </host>
      </service>
    </services>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
  </system.serviceModel>
 <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>

</configuration>

客户端配置：

  <system.serviceModel>
<behaviors>
  <endpointBehaviors>
    <behavior name="ClientBehaviour">
      <clientCredentials>
        <clientCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" findValue="CN=TokenClient"/>
        <serviceCertificate>
          <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine"></authentication>
        </serviceCertificate>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>
<bindings>
  <wsHttpBinding>
    <binding name="ClientBinding">
      <security mode="Transport">
        <transport clientCredentialType="Certificate"/>
      </security>
    </binding>
  </wsHttpBinding>
</bindings>
<client>
  <endpoint address="https://tokenservice/TokenService.svc"
    behaviorConfiguration="ClientBehaviour"
    binding="wsHttpBinding" bindingConfiguration="ClientBinding"
    contract="TokenService.ITokenService" name="ToolClient">
    <identity>
      <dns value="MachineName" />
    </identity>
  </endpoint>
</client>

- theringostarrs

这个有什么进展吗？我很想看看你是如何做到的。 - azcoastal

2个回答

0

服务的基本URL应该是服务器证书名称。

例如：

如果我的服务器证书名称是test.cer，那么我的服务URL应该是https://test/MyService/MyService.svc。

您是按照这种方式设置您的服务吗？

- The Mahahaj

网页内容由stack overflow 提供, 点击上面的

可以查看英文原文，
原文链接

- magnus · Accepted Answer

PeerTrust和ChainTrust提供的内置授权在使用互相SSL进行传输层身份验证时无法使用。

而且，说实话，在许多情况下，PeerTrust不能提供所需的授权过程控制。

解决这个问题的一个非常普遍的方法是插入自定义ServiceAuthorizationManager并覆盖其OnAccess方法。

<behavior name="ServerCertificateBehavior">
  <serviceCredentials>
    <serviceCertificate ....  />
  </serviceCredentials>
  <serviceAuthorization serviceAuthorizationManagerType="MyCustomCertificateAuthorizationManager, MyWCFExtensions.Security" />
</behavior>

ServiceAuthorizationManager可以用几行代码实现非常静态的简单证书检查，也可以根据需求进行更复杂的检查。

这个简单的概念验证希望能帮助您入门：

public class MyCustomCertificateAuthorizationManager : ServiceAuthorizationManager
{

    public override bool CheckAccess(OperationContext operationContext, ref Message message)
    {
        base.CheckAccess(operationContext, ref message);
        string action = operationContext.IncomingMessageHeaders.Action;

        List<string> approvedActions = new List<string> 
        { 
            "http://kramerica.lan/namespace/MySpecialMethod",
            "http://kramerica.lan/namespace/AnotherMethod"
        };

        List<string> approvedThumbprints = new List<string> 
        { 
            "‎1aaffe105b31b79b66c31de3389203d42351683a",
            "‎f1bcfbc6383bcbfa736473bcaf109987bbc2121a"
        };


        //One way is do the authorization based on the action if the endpoint is used for more than one operation with different ACL needs
        if (approvedActions.Contains(action))
        {
            foreach (ClaimSet claimSet in OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets)
            {
                X509CertificateClaimSet certificateClaimSet = claimSet as X509CertificateClaimSet;
                if (certificateClaimSet != null)
                {
                    //Get the actual certificate used by the client
                    X509Certificate2 certificate = certificateClaimSet.X509Certificate;

                    //Here a real validation of certificate issuer chain etc. could be made
                    if (certificate != null)
                    {
                        //This proof-of-concept does authorization based on a static list of thumbprints but about anything os possible here.
                        //One could easily check if this certificate
                        //is present in the TrustedPeople store or some database backend
                        if (approvedThumbprints.Contains(certificate.Thumbprint))
                            return true;
                    }
                }
            }
        }
        return false;
    }
}